NadMail
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages Ethereum private keys for SIWE authentication. While it provides AES-256-GCM encryption for keys stored on disk and recommends using environment variables, the handling of cryptographic secrets in the agent's environment increases the risk of credential exposure if the host machine is compromised.\n- [DATA_EXFILTRATION]: Scripts access sensitive local files including
~/.nadmail/private-key.encand~/.nadmail/token.json. The skill also performs network operations to the vendor's API atapi.nadmail.ai. Accessing wallet data and transmitting derived signatures to a remote API is a sensitive operation requiring user trust.\n- [COMMAND_EXECUTION]: Thesend.jsscript provides a command-line interface that allows the agent to execute on-chain transactions (Emo-buy). This capability allows the agent to spend cryptocurrency, which introduces financial risk if the agent is manipulated into executing unauthorized transactions.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its email reading functionality.\n - Ingestion points:
scripts/inbox.jsreads untrusted subject lines and body text from incoming emails and presents them to the agent.\n - Boundary markers: The skill does not implement delimiters or safety instructions to prevent the agent from following commands embedded in the email content.\n
- Capability inventory: The agent can perform network requests and execute financial transactions through the
send.jsscript.\n - Sanitization: No sanitization is performed on incoming email content, creating a surface where malicious actors could send instructions that the agent might inadvertently execute.
Audit Metadata